Paul Proctor
VP Distinguished Analyst 10 years at Gartner 28 years IT Industry

Paul Proctor is a vice president, distinguished analyst, and the chief of research for security and risk management. He helps organizations build mature risk and security programs that are aligned with business need. Read Full Bio

I have taken lead on organizing Gartner’s guidance to our clients following the Sony Hack revelations. Of course you have already read dozens of blogs and news articles packed with advice so why would you need more? The simple answer is that all the eyeball grabbers out there seeking to be first to print are […]

This is a guest blog entry by my colleague and friend Tom Scholtz. The compromise of several unencrypted files containing administrative passwords apparently exacerbated the impact of the Sony cybersecurity breach. Many commentators have argued that Sony should have mandated some kind of encrypted password vault solution that the sysadmins must use. The reality however […]

It’s easy to pick on the security of a company that has just been hacked, but I don’t think it is fair, accurate, or defensible. Make no mistake, there are companies with terrible security practices who have been hacked and likely deserve derision, but I have trouble believing that Sony Pictures is one of them. […]

Is the Internet Secure Enough? How could it be? Have you read the headlines, seen the regulatory requirements, or experienced the hysteria? And yet those millenials will give away any information they have for a free taco. They seem to trust the Internet, and yet most of us don’t. Trust is an interesting concept in […]

We are 8 months in to our GRC process reset and we have selected the vendor participants for many of the use cases. For a complete discussion of our reset process, read this post. Brief context: GRC is one of the most flexible terms in the vendor lexicon, because most of them use it to describe whatever […]

This post is being updated periodically to address vendor categorization changes. Last update 9 July 2014 We are 6 months in to our GRC process reset and we have some progress to report. A quick disclaimer: This blog post contains no Gartner analysis, because to this point, our process has (mostly) been a self-selecting process. […]

Risk and security teams are going through a major transformation. Mobile, social and cloud move business data and processes move outside of the perimeter, and outside of traditional enterprise control. Plus, these are dynamic environments with no stability or predictability. Managing appropriate levels of risk in this environment will require a new approach. Watch the […]

You think Target was a big deal? Get ready for more of the same thanks to the attitudes and understanding of consumers and corporate leadership. The cultural disconnect between business decision makers and technology risk remains epic. They still believe this is a technical problem, handled by technical people, buried in IT. You don’t need […]

The headlines are schizophrenic. One day it is “Oh no! Oh no! We’re all gonna die!” and the next day it’s “What? Me worry?” The more dangerous of these are the headlines that suggest that we are all going to be fine, because the FUD may be annoying, but organizations are always seeking an excuse […]

Richard Engle and NBC News recently posted several reports from Sochi, Russia based on an “experiment” they did. I applaud them for bringing attention to the critical condition of cybersecurity, but the report is misleading in two major respects. First, they have directly positioned this as just turning on your mobile device and computer will […]